Amazon Outage And Cloud Common Sense

We probably shouldn't connect servers to the Internet, let kids play outside, or let Congress fix debt ceilings. OK, that last one may be true.

It probably shouldn't come as a big surprise that every time we write about a cloud failure, someone invariably leaves a comment that says something like: See, I told you so. Following that logic, we probably shouldn't connect any of our servers to the Internet, let our kids play outside, or let Congress deal with debt ceilings. OK, that last one may be true. Failure is part of life. The question is really about how much risk an organization is willing to tolerate.

Yesterday, InformationWeek's Charles Babcock wrote about how Amazon's European cloud service was taken down in a lighting strike in a Dublin, Ireland data center. The strike knocked out both the primary and secondary power supplies, customers were down, and data was lost. This was a freak occurrence, of course, and Amazon is planning to provide more details shortly. The CTO of disaster recovery specialist SunGard told Babcock that "customers would have had to take extraordinary measures to protect themselves" from such an incident.

Babcock discusses a few of these measures, one of which involves purchasing some extra protection (failover to a secondary zone in the data center) from Amazon, and yet Amazon wouldn't yet confirm whether that protection would have actually worked in this instance. This type of failover caused a re-mirroring storm back in April, Babcock reminds us. Still, the precautions exist.

And yet the story gets better. Today, Babcock reports that Amazon's Elastic Block Store cleanup process failed. This process is used to create data snapshots in the event of an outage, and the failure meant that some of those snapshots, which would be used to re-create lost data, were deleted. And the hits just keep on coming . . . Amazon indicates that the data is still recoverable.

Beyond cloud reliability lies the thorny issue of cloud security. On our security site, Dark Reading, contributor Jim Reavis reveals that only 53 percent of those who have taken the Cloud Security Alliance certificate of competency test have passed. Reavis said the goal was to create a moderately difficult test. I can't speak to the test's veracity, but it introduces even more uncertainty.

As Dr.Dobb's editor-in-chief, Andrew Binstock writes in a column yesterday on cloud security and privacy issues, many cloud providers offer the assurance that they "deliver better security of the hosted data than most data centers can provide." It may be true, and I have quizzed my fair share of cloud vendors on just this point and found their responses thorough. Clearly, their customers have pressed them even harder.

And yet, as Binstock points out, there's yet another threat vector: "Access by the provider itself either on its own initiative or at the request of government agencies." He examines the policies of cloud providers like DropBox and Box.net, and then goes on to argue that "IT organizations must encrypt their data. By encrypting data themselves, using software with no backdoor, sites can assure themselves of privacy."

You can read more about the reasoning behind Binstock's paranoia, but you need look no further than the story Mat Schwartz has written today about Research In Motion getting hacked, thanks to the company having publicly stated that it will help authorities trying to find culprits in this past week's London riots by turning over data it has on BlackBerry Messenger conversations. OMG. Privacy advocates and teenage girls everywhere had to have collectively shuddered at the implications.
As both Binstock and Babcock (one is tempted to make a limerick out of the two) outline, there are remedies to prevent data loss during outages, to ensure your provider is practicing "safe cloud," and to protect the privacy of company data. Some of these measures require effort, and none of them are flawless. Yet all of these risks exist in some measure inside the corporate data center as well.

After all, are the data centers hosted by cloud providers the only ones that mother nature strikes, like trailer parks gobbled up by tornados?

Fritz Nelson is the editorial director for InformationWeek and the Executive Producer of TechWebTV. Fritz writes about startups and established companies alike, but likes to exploit multiple forms of media into his writing.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.